10-28-2014 06:07 AM
Hello.
I have a problem with the way PA handles FTP sessions. I have a general rule which allows privileged user groups to have full access to a certain network. So application and service in this rule is 'any'. One of the applications users will be using is FTP.
When I look at traffic logs i see 2 TCP session for each use of FTP application. Let's say client is at 1.1.1.1 and FTP server at 2.2.2.2.
Every time a client starts FTP session i see 2 TCP sessions in logs:
- TCP session from 1.1.1.1:yyyy to 2.2.2.2:21
- followed by TCP session from 2.2.2.2:xxxx to 1.1.1.1:20
I know FTP application consists of 2 TCP session. But shouldn't PA as an application firewall match DATA session with CONTROL session and regard them as single use of FTP application?
This will be a big issue when the traffic from the mentioned network towards user segment will be set to 'deny'. I don't think having to open port 20 towards user segment is the way to go on application firewall.
Best regards,
Simon
10-30-2014 04:32 AM
To clarify my scenario, I was seeing FTP traffic incoming (appeared to be initiated from an internet source which is an untrust zone for us) and being allowed to one of our NAT ips and logged under our outbound rule. This didn't make sense as all traffic incoming from the internet (untrust zone) to our NAT ip is set to deny and logged under a different rule. Under further investigation it was determined this FTP traffic was initiated from an internal device (trusted zone) which normal for us and is set to allow and the inbound untrust zone traffic in question was in fact the return traffic. As someone mentioned the traffic appears in pairs. If I were to do a screen shot of this type traffic it would look the same as yours above. I did not have to create a rule to allow the return FTP traffic back. If untrust zone traffic were to initiate a FTP session to our NAT ip this traffic would be dropped under or deny rule. Hope this helps.
10-30-2014 05:41 AM
Hi Santonic,
FTP and FTP-data session ID doesnt have to be similar. The can be different. So based on session ID you can not determine if they are in pair.
If FTP application generates multiple session than they are allowed. Let me know if his helps.
Regards,
Hardik Shah
10-30-2014 06:44 AM
Hello Santonic,
The session IDs will be different. The control channel will be 'Parent Session' and the data channel will be 'child session'. But they work together ie the child session will be (predicted and converted to Active Flow) based on the parent session. Here is a sample output of child session:
> show session id 685
Session 685 <<<<<<<<<<<<<<<< Child Session ID
c2s flow:
source: 192.168.23.215 [trust-L3]
dst: 10.66.22.169
proto: 6
sport: 64047 dport: 24492
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.66.22.169 [dmz-L3]
dst: 10.66.22.23
proto: 6
sport: 24492 dport: 2671
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Sat Mar 29 06:51:52 2014
timeout : 30 sec
time to live : 24 sec
total byte count(c2s) : 25293
total byte count(s2c) : 69890
layer7 packet count(c2s) : 416
layer7 packet count(s2c) : 461
vsys : vsys1
application : ftp-data
rule : trust-2-dmz
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : nat-trust-2-dmz(vsys1)
layer7 processing : completed
URL filtering enabled : False
session via prediction : True
use parent's policy : True
parent session : 683 <<<<<<<<<<<<<<<<<<<<<<<<< Parent session ID
refresh parent session : True
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/5
Let us know if that helps and if you have any questions.
Regards,
Dileep
10-30-2014 07:00 AM
Yes. Dileep is correct. Just to add to it, in an FTP connection, there will be only one control connection, but may have multiple data-connectiones for each transaction. For an example, after successful login, if you apply LS (directory listing)/PUT/GET, every time it will create different data connections.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
